~2 mins

Dox Facebook Employee Behind "Life Events" Videos

Last year, I found a similar vulnerability of deanonymizing Facebook employees behind stock questions. This time, I found another way to deanonymize an employee at Facebook, except the way work is a lot simpler.

What is “Facebook Life Events”?

Facebook Life Events, a feature for letting users announce important moments, was redesigned back in December 2018. The new Life Events comes with some stock artwork videos provided by Facebook.

To help people do this, we’re providing new options, including animated photos and videos. If you don’t have your own images, you can now choose from a wide range of art from Facebook.

Elaborations

One way of how Facebook makes stock media contents accessible to regular Facebook users while keeping it flexible is creating a dummy account that acts as a “container” of those contents. This is how Facebook manages “Life Events” stock videos and makes it accessible to users.

This dummy Facebook account that sources those stock videos is currently showing information that identifies the Facebook employee behind it.

Impact

It reveals the identity behind the Facebook employee that handles the new Life Event stock videos. Non-employees are not supposed to have access to this information.

Reproduction Steps

Due to this being a public vulnerability disclosure, some information is redacted.

Query a source stock video

Server Request

HTTP POST /graphql
Host: graph.facebook.com

doc_id=REDACTED

Server Response

{
  "data": {
    "viewer": {
      "life_event_content_suggestions": {
        "edges": [{
          "node": {
            "id": "10150000000000000",
            "image": null,
            "video": {
              "id": "10150000000000000",
              "image": {
                "uri": "...",
                "width": 960,
                "height": 640
              },
              "playable_duration": 6,
              "playable_url": "..."
            }
          }
        }]
      }
    }
  }
}

The ID from data.viewer.life_event_content_suggestions.edges[0].node.video.id belongs to the source video of a new Life Event stock video.

For this Proof-of-Concept, we will use 10150000000000000 for upcoming steps.

Browse the Facebook profile behind the source stock video

Go to https://facebook.com/10150000000000000

And it brings us to: https://www.facebook.com/xxxxx.xxxxxxxxxxxxx/videos/10150000000000000/

User “Xxxxxxxxxxxxx Xxxxx” (@xxxxx.xxxxxxxxxxxxx) seems to be a dummy Facebook account. Let’s browser further…

This profile has an album “(redacted)“: https://www.facebook.com/xxxxx.xxxxxxxxxxxxx/media_set?set=a.10100000000000000&type=3

Identity Revealed

This album has multiple contributors: “Xxxxxxxxxxxxx Xxxxx” and “Yyyyyyyyyyy Yy”

Yyyyyyyyyyy Yy is a “Software Engineer at Facebook”. Identity revealed.

Remarks

This is one of my simplest (and silliest/most-preventable) Proof-of-Concept so far.

A way to prevent this from happening for a Facebook employee would be not adding their personal account to an album at the first place.

Timeline

2018-12-12: Report Submitted

2018-12-13: Attempts of Reproducing by Facebook Security Team

2018-12-13: Hints Sent

2018-12-14: Further Investigation by a Facebook Product Team

2019-01-02: Vulnerability patched by Facebook

2019-01-21: Bounty Awarded by Facebook